Cookie policy notice

By continuing to use this site you agree to our cookies policy below:
Since 26 May 2011, the law now states that cookies on websites can ony be used with your specific consent. Cookies allow us to ensure that you enjoy the best browsing experience.

Ministers have gone against the findings of their own information governance review and allowed patient-identifiable data from GP records to be used in the NHS outside of the ‘safe havens’ recommended by the Caldicott report for six months.

Health secretary Jeremy Hunt has approved plans for NHS England to waive common confidentiality laws for six months under a legal exemption called section 251, allowing patient identifiable data to be passed to commissioners and support units.

Dame Fiona Caldicott said that most commissioning activities could be carried out without patient identifiable data and that any data carrying a high risk of being identified and being used for ‘any purpose other than direct care’ should be transferred using an accredited safe haven.

Related articles

The data include those on Choose and Book referrals, urgent care data sets (including walk-in centres and out-of-hours), accident and emergency, waiting lists, outpatient and diagnostic attendances, community care, payment by results data, radiology and pathology data, community health data and home equipment loans among other data sets.

A guidance note on the approval of the exemption from the HSCI said that CSUs and CCGS can receive patient-identifiable data if they ‘provide evidence of completion of level 2 of the Information Governance Toolkit’ or plans to bring them to level 2 as well as a data sharing agreement and a signed data sharing contract in place, a guidance note from the HSCIC said.

It added that NHS England must demonstrate that it will only share personal confidential information where necessary.

It said: ‘The section 251 support is conditional upon regular reports to the Confidentiality Advisory Group to demonstrate the steps being taken to avoid the use of personal confidential data including improving upon the position of using weakly pseudonymised data.’

NHS England is expected to work towards an ‘end-state’ that reduces the need to process and handle personal confidential data, it added.

The exemption will run until October this year, conditional on an interim report to be considered by the Health Research Authority’s Confidentiality Advisory Group in June. The health secretary approved the section 251 exemption bid on the recommendation of advice from this group.

A Department of Health spokesperson said: ‘Following independent advice, approval has been granted to release information from the HSCIC to health bodies temporarily for a period of six months, subject to stringent conditions.

‘These include preventing individuals from being identified – and, that if a patient requests their personal information is not disclosed at all by the HSCIC, this is fully respected.

‘The bodies receiving the information must meet very high standards of information governance and if they breach information controls it could result in a significant fine of up to £500,000.’

You really think it's ok for Hunt to do this? without the approval of patients? How many surgeries are even notifying their patients of this new development. Hopefully you misread what is happening:

"Health secretary Jeremy Hunt has approved plans for NHS England to waive common confidentiality laws for six months under a legal exemption called section 251, allowing patient identifiable data to be passed to commissioners and support units."

Firstly, the report above somewhat mis-states what is happening. The commissioners always had provider care data 'in the clear', and many of the commissioning business processes - eg quality assessments, claims management - and provider contracts are often built on that assumption. A "Section 251" agreement was in place to allow this for the last few years. All totally legal. The new Act does not allow the data to flow in the absence of a new 251 agreement. This was missed by those setting up the new structures until very recently. So for business as usual to continue, while business processes are reviewed and a solution identified which can work with 'weakly-identified' data, the curent 251 has allowed 6 months to make some changes. Probably not long enough, IMHO.

A second - and very different - issue is the sharing of GP records. This is not related to the 251 as far as I understand it. GPES passes data in the clear, which is then pseudonymised. No change there.

Finallly, many commissioners host computer systems used for direct care purposes (eg urgent care dashboards, risk stratification tools used in pratice MDTs). Some of these do process GP records alongside records from other care providers. These systems were noted by the Caldicott review, which suggested some tightening of contract arrangements to make the IG more robust.